Multiple dApps Compromised Due to Potential Supply Chain Attack

Matthew Lilley, the CTO at SushiSwap, has warned on X (Twitter), asking users to avoid interaction with any decentralized applications (dApps). Many other dApps have confirmed a compromise.

Security incidents in the crypto realm are frequent. However, they are isolated to a single protocol. However, as of writing, there is an ongoing attack on many decentralized applications (dApps).

Users Asked to Avoid Interaction With dApps Due to a Compromise

Lilley wrote on X (Twitter):

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

The SushiSwap CTO later clarified that dApps using Ledger ConnectKit are vulnerable. He warned:

This isn’t a single isolated attack, it’s a large-scale attack on multiple dApps.

Read more:

The Web3 security firm Blockaid suspects a potential supply chain attack on the Ledger ConnectKit. It wrote:

The attacker injected a wallet-draining payload into the popular NPM package. This currently affects a couple of popular dapps including but not limited to Hey.xyz, and Sushi.com.

Furthermore, Blockaid shared with BeInCrypto that over $150,000 worth of funds have been lost in the past two hours. Also, Revoke.cash confirmed that it had been compromised. Meanwhile, it also urged the users to avoid using any crypto website until there is further clarity.

Lilley tried to summarise the incident in three points, saying that Ledger made “a chain of terrible blunders.” He said:

  1. They are loading JS from a CDN
  2. They are not version-locking loaded JS.
  3. They had their CDN compromised.

Finally, Ledger informed the users that it had identified and removed the malicious version of the ConnectKit. It wrote on X (Twitter):

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and Ledger Live were not compromised.

Do you have anything to say about dApps compromise or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).

For BeInCrypto’s latest Bitcoin (BTC) analysis, click here.

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.

Source: https://beincrypto.com/multiple-dapps-compromised-supply-chain-attack/